Comments

sharing /home over nfs in read/write mode to the entire world is NOT cool

I hope novell considers investing in nfsv4 to help it reach a stable state.
nfsv4 has the ability to secure shares on a user basis using kerberos v5 gssapi

in this howto they use nfsv3 and this is insecure++
sure you can limit the ip ranges that will be allowed to use nfs
and put up some firewall rules and restrict things using
/etc/hosts.allow and /etc/hosts.deny

but these limitations wrongly asume that the intruder attacks from the outside.

is AFS. Yes, AFS is a pain in the butt to set up, but once it works, it is really nifty and a lot less of a pain that NFS, especially when it comes to scaleablilty. Formerly being a product of IBM, it is still supported and has been open sourced in the meanwhile: http://openafs.org/success.html

I can use my uni's AFS tree via ADSL using Kerberos 5 authentication with SUSE 9.2.

I'd have to 2nd the vote for AFS. Not finding what I want wrt security and NFS, I deployed AFS/KerbV within my organization. Aside from being fairly complex to learn and setup, and a bit slow I've found it to be everything I'd hoped for. I have all my users home dirs in AFS. In addition it file serving, it can do replication and snapshot volumes.

I suppose you could only allow NFS over a VPN overlaying your real network so that the floppy solution doesn't work. Then all you need is to crack the workstation using your physical access, *then* use a floppy.

How does the workstation access the VPN? The key used must be something that cannot be accessed from the workstation by a user with a boot floppy, and in this sort of corporate environment, having IT go round with a boot key to machines whenever they get restarted is not an option (typically centralised IT, workstations all over the place, and cleaners don't always choose the right plug to unplug). I can't think of any way to hide data on the machine in such a way that the user cannot access it once booted off his floppy, without bringing a boot key round to each machine as and when they restart.